For many manufacturers and suppliers, Covid-19 is only the second-most feared pandemic. The ongoing threat of having internal systems hijacked and held for ransom – colloquially known as a ransomware attack – will surely outlive the specter of the virus shutting down a facility.
We know of a few instances where this has occurred in the printed circuit industry. A few years ago, a publicly traded board fabricator saw almost all its sites in North America hit, with the hijacked sites taken offline for a few days to a few weeks. Sales and deliveries were affected. In late 2020, Foxconn, the big daddy of the electronics industry, suffered a ransomware attack at its plant in Juarez, Mexico, where attackers stole some files, deleted others, and encrypted the manufacturer's servers. The hackers sought a reported $34 million to release the data. Compal, another top 10 EMS/ODM, was also hit. In all likelihood, it's happened more often than has been publicized.
Still, efforts to immunize the US defense supply chain and others against these hacks has been met with mixed reviews. One primary reason: cost. Bringing systems up to date and maintaining them over the long haul requires highly trained engineers who can cost $100,000 or more per year while not adding to the bottom line.
They may not have a choice.
A new policy being handed down from the Biden administration imposes mandatory regulations on American companies that service so-called critical infrastructure – which goes well beyond the Pentagon. As Travis Kelly, chairman of the Printed Circuit Board Association of America, noted on our PCB Chat podcast this month, critical infrastructure includes everything from financial services and healthcare to energy and transportation; in short, anything connected to computer networks, and thus hackable.
At press time, a draft of the 35-page document titled "National Cybersecurity Strategy" was being circulated in Washington but had not been signed by President Biden and was not generally available. (It was due to be signed by the end of January.)
Media reports, however, from journalists who nabbed a copy of the draft indicate it calls for the US to take a new, more aggressive tack to "disrupt and dismantle" hacker networks
This effort will be coordinated by the FBI's National Cyber Investigations Joint Task Force as well as all the myriad US security agencies. And the private sector will also be called on to contribute, both as early warning assigns – sharing intrusion reports – and as an ancillary attack force.
The reports further indicate that the defensive cybersecurity regulations set forth in the new policy will almost assuredly be more comprehensive than ever before. Moreover, what was formerly voluntary is going to become mandatory.
The good news is that policymakers recognized – supposedly – that different industry sectors have different needs, and tried to tailor the regulations to fit each marketplace. The bad news is, as a supplier to every critical infrastructure segment, it's almost impossible to see how the electronics industry will avoid changes – and the related costs.
That's right: "Almost impossible." There's a chance the administration lacks the clear authority to impose regulations on manufacturing without Congressional approval.
Still, the frequency with which ransomware attacks are occurring is rising, and the likelihood that manufacturers can sidestep new controls – be they imposed by government or their own customers – probably just got lower.
mike@pcea.net
@mikebuetow
P.S. A warm welcome to Jacqueline Bress, our new events manager. She is a CMP (Certified Meeting Professional) with more than 10 years' experience planning conferences and shows of all sizes, and is based in Georgia.